This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 824519 - [RFE] Binding IPA Replica to a specific Nic or hostname using --hostname
[RFE] Binding IPA Replica to a specific Nic or hostname using --hostname
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 7.1
Assigned To: Martin Kosek
IDM QE LIST
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-23 12:26 EDT by Steeve Goveas
Modified: 2016-02-19 07:03 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-19 07:03:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steeve Goveas 2012-05-23 12:26:54 EDT
Description of problem: 
Server has 2 NICs and each NIC resolves to a different hostname. Installing IPA Replica server using the secondary hostname which is bound to the 2nd NIC fails

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-14.el6.x86_64

How reproducible:
Always

Steps to Reproduce:

Note: We need to uninstall IPA before moving on to the next case
# ipa-server-install --uninstall

Verify
# netstat -ntlp | egrep '389|636'

Case 1: Without --ip-address option. Not using /etc/hosts file

1. Prepare replica file from the master server

# ipa-replica-prepare options <secondary FQDN>

2.  Copy replica file over to Replica Server

3. Make sure the both hostnames resolve through DNS with respective PTR

4. Install Replica first without any options

# ipa-replica-install REPLICA_FILE


Case 2: With --ip-address option. Not using /etc/hosts file

5. Install Replica with giving the IP address option

# ipa-replica-install REPLICA_FILE --ip-address=<Second NIC IP>

Case 3: Using /etc/hosts file for Hostname resolution without --ip-address option

6. # ipa-replica-install REPLICA_FILE

Case 4: Using /etc/hosts file for Hostname resolution with --ip-address option

7. ipa-replica-install REPLICA_FILE --ip-address=<Second NIC IP>
  
Actual results:

For Case 1 and 3

creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


For Case 2 and 4

Error: the hostname resolves to an IP address that is different
from the one provided on the command line. Please fix your DNS
or /etc/hosts file and restart the installation.


[21/30]: setting up initial replication
creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Expected results:

Replica installation should be successful.

Additional info:

RFE: To use --hostname to configure binding replica to specific NIC or hostname

Eg.
* On Master IPA server

[root@ratchet ~]# host eywa.lab.eng.pnq.redhat.com ; host 10.65.201.136
eywa.lab.eng.pnq.redhat.com has address 10.65.201.136
136.201.65.10.in-addr.arpa domain name pointer eywa.lab.eng.pnq.redhat.com.

[root@ratchet ~]# ipa-replica-prepare eywa.lab.eng.pnq.redhat.com
Directory Manager (existing master) password:

Preparing replica for eywa.lab.eng.pnq.redhat.com from ratchet.lab.eng.pnq.redhat.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-eywa.lab.eng.pnq.redhat.com.gpg

[root@ratchet ~]# ipa dnsrecord-find lab.eng.pnq.redhat.com. eywa
----------------------------
Number of entries returned 0
----------------------------

[root@ratchet ~]# cat /etc/resolv.conf
search lab.eng.pnq.redhat.com pnq.redhat.com redhat.com
nameserver 10.65.201.245


* On Replica server

[root@sideswipe ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

[root@sideswipe ~]# cat /etc/resolv.conf
search lab.eng.pnq.redhat.com pnq.redhat.com redhat.com
nameserver 10.65.201.245

[root@sideswipe ~]# host sideswipe.lab.eng.pnq.redhat.com ; host 10.65.201.67; host eywa.lab.eng.pnq.redhat.com; host 10.65.201.136
sideswipe.lab.eng.pnq.redhat.com has address 10.65.201.67
67.201.65.10.in-addr.arpa domain name pointer sideswipe.lab.eng.pnq.redhat.com.
eywa.lab.eng.pnq.redhat.com has address 10.65.201.136
136.201.65.10.in-addr.arpa domain name pointer eywa.lab.eng.pnq.redhat.com.

[root@sideswipe ~]# ipa-replica-install replica-info-eywa.lab.eng.pnq.redhat.com.gpg
Directory Manager (existing master) password:

This replica was created for 'eywa.lab.eng.pnq.redhat.com' but this machine is named 'sideswipe.lab.eng.pnq.redhat.com'
This may cause problems. Continue? [yes]:

Run connection check to master
Check connection from replica to remote master 'ratchet.lab.eng.pnq.redhat.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
.
.
[20/30]: restarting directory server
[21/30]: setting up initial replication
creation of replica failed: {'info': 'TLS: hostname does not match CN in peer certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Comment 4 Dmitri Pal 2012-05-24 18:46:49 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2787
Comment 6 Martin Kosek 2016-02-19 07:03:41 EST
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker long time ago (see link to the upstream ticket above), but it was unfortunately not given a priority neither in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Trac ticket to expedite the solution.

Note You need to log in before you can comment on or make changes to this bug.